ssh -i option does not work properly with ssh-agent

[Ángel González]

On 15/03/15 15:48, Jens Stimpfle wrote:
> Hi,
>
> I noticed that the ssh -i<keyfile>  option is "ignored" in my case:
>
> On my server, I have two keys in .ssh/authorized_keys:
>
> command="echo A" ssh-rsa A...  # Key A
> command="echo B" ssh-rsa B...  # Key B
>
> Suppose these keys are stored on my client as A{,.pub} and B{,.pub}. Now
> the following situation:
>
> $ ssh-add -L
> ssh-rsa A...
> $ ssh -i B server
> A
>
> As you can see, when A is loaded in ssh-agent but B isn't, the
> connection is made with key A even when B is specifically requested.
>
> I looked around the source and found a few hints here and there
> (readconf.c:add_identity_files(), sshconnect2.c:pubkey_prepare(), the
> "userprovided" tag in the Options struct...), but overall it's unclear
> to me what the semantics of "-i" is actually meant to be.
>
> What I always expected from "-i" was that only the keys given with -i
> are tried, or at least these keys are tried first, irrespective of
> whether or not they are loaded into ssh-agent.

ssh tries with the ssh-agent keys first, then with the one provided with -i
As A is loaded and accepted, B is never tried.
I have been bitten by that several times, too. Usually when having many 
keys in the agent, and trying to use a specific key, just to be rejected 
by attempting a login with too-many-keys. I usually prepend env -i to 
the ssh command, to disconnect it from the agent. Although as Stephen 
mentions, you can also solve it with -o IdentitiesOnly=yes.

IMHO it should try -i keys first, and then the agent ones. But if the -i 
key is already in the agent, it would be preferable not to ask for its 
password again...